b'FEDERAL ELECTION COMMISSION\n\n\nOFFICE OF INSPECTOR GENERAL\n\n\n\n\n       FINAL REPORT\n\n\n\n\n    AUDIT OF AGENCY\n\n  YEAR 2000 RENOVATIONS\n\n           As of 3/31/1999\n\n\n\n\n              May 1999\n\n       AUDIT ASSIGNMENT 98-08\n\n\x0cTable of Contents                                        Final Audit Report No. 98-08\n\n\n\n                               Table of Contents\n\n\nExecutive Summary \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                       i\n\n\n\nBackground \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                           1\n\n\n        Federal Milestone Dates     \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                           1\n\n        Mission Critical Systems    \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                           4\n\n        FEC Gains Momentum          \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                           5\n\n        Audit Objective, Scope, Methodology \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                         5\n\n        Statement on Management Controls \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                         6\n\n\n\nAudit Results         \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                   7\n\n\n        Assessing Project Risk       \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                          8\n\n        Disclosure System Overview \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                           10\n\n        Presidential Funding Program \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                         11\n\n        FEC Needs Y2K Outreach Program \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                          12\n\n        Financial System Overview \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                            13\n\n        Communications Network Not Fully Compliant         \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6            14\n\n        Inconsistency in Reporting Mission Critical Systems\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6            16\n\n        FEC Needs Contingency Planning \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                          17\n\n        FEC FAXLINE System Not Scheduled for Y2K Testing      \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6            19\n\n        Independent Verification of Y2K Renovations Needed    \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6            20\n\n        User Acceptance Testing Not Meeting Expectations .\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6             21\n\n        Compliance with Laws and Regulations         \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.              22\n\n\n\nAppendix A\n                User Acceptance Testing Survey   \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                  24\n\n\nAppendix B\n                Management\xe2\x80\x99s Response to Draft Report   \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.              27\n\n\nAppendix C\n                OIG Comments on Agency Response to Draft Report \xe2\x80\xa6\xe2\x80\xa6..         33\n\n\nAppendix D\n                Audit Letter to Management \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                    35\n\n\x0cExecutive Summary                                               Final Audit Report No. 98-08\n\n\n\n                              Executive Summary\nThe Office of Inspector General initiated and completed a limited-scope audit of the\n\nYear 2000 (Y2K) renovation project at the Federal Election Commission (FEC). We\n\nconducted our audit to assess the reported progress of the FEC to convert and implement\n\nY2K repairs on its computer systems. Throughout our audit, we regularly updated the\n\nY2K team on project risk that we had identified during our audit fieldwork, and provided\n\nspecific recommendations to reduce the exposure to the FEC from those risks.\n\n\nMilestone dates published by the U.S. Office of Management and Budget (OMB)\n\nestablish progress goals for all Federal agencies. The General Accounting Office (GAO)\n\ndeveloped guidelines for use by Federal agencies as a framework for achieving the OMB\n\nprogress goal of becoming Y2K compliant. We evaluated agency progress using OMB\xe2\x80\x99s\n\nmilestone dates and GAO\xe2\x80\x99s methodology. Based on our audit work, we conclude that the\n\nY2K project status as reported by the FEC is consistent with the actual progress achieved.\n\nAs explained within our audit report, for its internally developed software the FEC has\n\nfunded for independent verification of Y2K renovations through an outside vendor. We\n\ndid not validate those renovations. However, our audit does show that there are still\n\nmajor issues to be resolved to fully prepare computer operations at the FEC for the new\n\nmillennium. Those issues are addressed in the Audit Results section of this report.\n\n\n                             The FEC Shows Progress\n\nThe FEC has been required by OMB to report twice thus far on the progress of its Y2K\nrenovation project. From information contained in the first FEC Y2K report issued in\nApril 1998, OMB assessed the FEC\xe2\x80\x99s Y2K project this way: \xe2\x80\x9cProgress behind schedule.\nNo contingency plan; no IV&V.\xe2\x80\x9d By February 1999, the FEC was reporting 100 percent\nof its mission critical software renovated and tested. However, in its 8th Quarterly\nReport released in March 1999, OMB expressed concerns similar to those it had earlier:\n\n       \xe2\x80\x9cMaking progress on IT systems. The agency is 100% complete in its\n       mission critical software conversion. Anticipated compliance in\n       October. FEC needs a business continuity and contingency plan. The\n       verification and validation plan is weak. FECs payroll and personnel\n       systems will be converted to National Finance Center in October\n       1999.\xe2\x80\x9d\n\n                              Unresolved Y2K Issues\n\nThe Y2K project team has reported repairing over 3,000 software programs consisting of\nover one million lines of programming code, bringing internally developed computer\nprograms into alignment with government-wide milestone dates. Although the FEC is\nmaking progress, the agency\xe2\x80\x99s February 1999 Y2K report to OMB indicates that neither\ncontingency planning or independent verification and validation (IV&V) has yet begun.\nThe report goes on to state that the agency\xe2\x80\x99s computer hardware, 3rd party software, and\n\n\n                                             i\n\x0cExecutive Summary                                              Final Audit Report No. 98-08\n\n\nsupporting communications network are not yet Y2K compliant. In addition, while\nsystem renovation work and program testing has been completed on the agency\xe2\x80\x99s most\nimportant computer system, other testing has yet to be conducted.\n\nAlso, our audit work shows that the FEC has not fully achieved progress required from\npublished OMB directives. For example, a documented inventory of data exchanges with\noutside parties had not been completed and communications have not been established\nwith each data exchange partner on how to fix the Y2K problem. In addition, the FEC\nneeds to develop a listing of all computer services contracts with outside vendors, and\ndetermine whether those contracts comply with Federal regulations requiring Y2K\nprovisions. Furthermore, our audit results show the need for an agency-wide team effort\nto ensure that the FEC will be able to achieve total Y2K compliance in a timely manner.\n\n                             Audit Recommendations\n\nOur audit recommendations addressing the issues discussed above are listed individually\nbeginning on the first page of the Audit Results section in this report. They are also\ncontained within the body of the audit report after the detailed discussion of each\ncorresponding issue. Following our audit recommendations, we have incorporated\npertinent written comments provided by agency management. Management\xe2\x80\x99s response to\nthe draft audit report is included in its entirety as Appendix B. Our subsequent response\nto management\xe2\x80\x99s comments is provided in Appendix C. Finally, our suggestions for\nimprovement to management controls for project planning and reporting metrics has\nbeen forwarded to the appropriate agency officials, and included as Appendix D of this\nreport.\n\n\n\n\n                                            ii\n\x0cBackground                                                                   Final Audit Report No. 98-08\n\n\n\n                                          Background\nComputer systems provide mission critical services for the Federal Election Commission\n(FEC). These systems enable the news media, research institutions, and the public easy\naccess to information regarding funds raised and spent to influence Federal elections. In\naddition, mission critical computer systems at the FEC warehouse information necessary\nto enforce limitations and prohibitions on contributions, process data for the Presidential\npublic funding program, account for government held assets, and maintain personnel and\npayroll data on employees.\n\nComputer systems that cannot accurately store or properly process the century field are at\nrisk of failing when called upon to manipulate data with a date of January 1, 2000 or\nlater. Computer systems that currently use a two digit date field (i.e. \xe2\x80\x9c99\xe2\x80\x9d for the year\n1999) will not be able to recognize \xe2\x80\x9c00\xe2\x80\x9d as the year 2000. This problem is largely the\nresult of the high cost of computer memory in the 1960s and 1970s, when programmers\nadopted a space-saving two-digit programming convention to represent the year. The\nGeneral Accounting Office (GAO) has identified the Year 2000 (Y2K) problem as a\ngovernment-wide high risk issue because of the potential impact if Federal systems fail to\noperate properly.\n\nWe conducted our audit to assess whether the reported project status at the FEC matched\nthe agency\xe2\x80\x99s actual progress in resolving its Y2K problem. By conducting our audit in\naccordance with generally accepted government auditing standards, we also evaluated\nagency compliance with applicable laws and regulations. Based on our audit work, we\nconclude that the progress reported by the FEC is consistent with actual Y2K project\nresults achieved. As explained within the audit report, for its internally developed\nsoftware the FEC has funded for independent verification of Y2K renovations through an\noutside vendor. We did not validate those renovations1. However, our audit does show\nthat there are still major issues to be resolved to fully prepare computer operations at the\nFEC for the new millennium. Those issues are addressed in the Audit Results section of\nthis report. Additionally, our suggestions for improvement of project management are\nbeing provided to the FEC in the form of a Management Letter, which is shown in this\nreport as Appendix D.\n\n                                    Federal Milestone Dates\n\nDuring February 1997, U.S. Office of Management and Budget (OMB) designed an\noverall Federal strategy and authorized the Chief Information Officer, or a similarly\ndesignated official within each of the larger Federal agencies, to direct work and follow\nindustry best practices to resolve the Y2K problem. OMB required each large Federal\n\n1\n  As explained by OMB in its 8th Quarterly Report: \xe2\x80\x9cValidation involves multiple phases of testing,\nincluding a combination of testing of individual components (unit testing), testing of entire systems\n(integration or systems testing), and in some cases, testing of a string of interdependent systems (end-to-\nend testing).\xe2\x80\x9d\n\n\n                                                     1\n\n\x0cBackground                                                               Final Audit Report No. 98-08\n\n\nagency to report on their progress, and also established government-wide milestone dates\nto resolve the Y2K problem, see Exhibit No. 1.2 These milestones dates provided targets\nfor the completion of the majority of work in each phase of Y2K activities. In January\n1998, OMB subsequently revised and accelerated three of the milestone dates.\n\n                                          Exhibit No. 1\n                               OMB Scheduled Milestone Dates\n\n              Phase/Work                       Milestone Date           Revised Date\n\n             Awareness                        12/96                                Same\n             Agency Strategy to be Completed.\n\n             Assessment\n             Inventory and Scope Completed.              3/97                      Same\n\n             System Plans and Schedules.                 6/97                      Same\n\n             Renovation                                12/98                       9/98\n             Coding Repairs to be Completed.\n\n             Validation                                  1/99                      1/99\n             Management Sign-off.\n\n             Implementation                            11/99                       3/99\n             Integrated Testing Completed.\n\n\n             Source: For Milestone Dates and Revised Dates - see Footnote No. 1.\n\n\n\n\nIt was not until March 1998 that OMB established reporting requirements for smaller\nFederal agencies, like the FEC.3 OMB requested that the smaller agencies report their\nY2K status in basically the same format as that published earlier for larger Federal\nagencies. While OMB did not require quarterly reporting from the smaller agencies, they\nwere directed to report on their Y2K project once at the end of April 1998, and again on\nMay 15, 1999. Subsequently, in its 7th Quarterly Report, OMB accelerated the May 1999\nreporting date to February 15, 1999. In its \xe2\x80\x9c8th Quarterly Report - Progress on Year 2000\n\n2\n   \xe2\x80\x9cGetting Federal Computers Ready for 2000,\xe2\x80\x9d published by OMB, dated February 6, 1997. Subsequently\nrevised in OMB M-98-02, dated January 20, 1998.\n3\n  \xe2\x80\x9cProgress Reports on Fixing Year 2000 Difficulties for Small Agencies,\xe2\x80\x9d OMB M-98-07, dated March 9,\n1998.\n\n\n                                                  2\n\n\x0cBackground                                                                Final Audit Report No. 98-08\n\n\nConversion\xe2\x80\x9d issued on March 18, 1999, OMB established new reporting requirements\naffecting each small Federal agency not fully completed in their Y2K renovations. These\nagencies will now be required to report quarterly to OMB until their work is finished.\nAccordingly, this means that the FEC will need to submit its next Y2K progress report to\nOMB on May 15, 1999.\n\nTherefore, the FEC was initially required to only report twice on its Y2K renovation\nproject. However, recognizing the criticality of the Y2K issue, senior management at the\nFEC choose instead to expand upon the mandatory OMB reporting requirement electing\nto publish regular Y2K quarterly reports starting with the first report issued on April 30,\n1998. Based on the information provided by the FEC in the April 1998 report, OMB\nassessed the FEC\xe2\x80\x99s Y2K project as follows: \xe2\x80\x9cProgress behind schedule. No contingency\nplan; no IV&V.\xe2\x80\x9d4 Immediately following the release of each OMB quarterly report, it has\nbeen the practice of the U.S. House of Representative Subcommittee on Government\nManagement, Information and Technology to announce its own assessment on the\nprogress reported by each agency and assign grades between \xe2\x80\x98A\xe2\x80\x99 and \xe2\x80\x98F\xe2\x80\x99 based on their\nprogress. After OMB\xe2\x80\x99s 5th and 8th Quarterly Reports, the only reports thus far to include\nthe efforts for both small and large Federal agencies, the Congressional Subcommittee\nchose not to assign grades to smaller agencies, continuing to grade only the large Federal\nagencies.\n\nIn the March 1998 Y2K directive, OMB required small agencies to achieve progress\ncorresponding to the milestone dates which had been established for the large Federal\nagencies. As can be seen in Exhibit No. 1, three of the milestone dates had already past\nprior to OMB publishing the March 1998 guidance. In that directive, OMB listed the last\nthree revised milestone dates and then summarily stated, \xe2\x80\x9cThe assessment phase should be\ncomplete.\xe2\x80\x9d Furthermore, two other milestone dates cited in OMB\xe2\x80\x99s March 1998\nmemorandum had already come and gone. One for an inventory of data exchanges with\nexternal parties; and the other, to notify each external data provider of the ramifications\nregarding the Y2K problem.\n\nOMB attached the February 1997 Y2K policy that it had issued earlier for the large\nFederal agencies as an appendix to the March 1998 directive for small agencies. As part\nof that policy, OMB stated that its overall strategy is predicated on three basic\nconsiderations, the third of which sets forth the following:\n\n\n       \xe2\x80\x9cGiven the limited amount of time, emphasis will be on mission critical\n       systems. In many agencies such systems are large and complex, which means\n       they will require the most time and be the most challenging to fix.\xe2\x80\x9d\n\n\n\n\n4\n    \xe2\x80\x9cProgress on Year 2000 Conversion, 5th Quarterly Report, issued by OMB, as of May 15, 1998.\n\n\n                                                    3\n\n\x0cBackground                                                            Final Audit Report No. 98-08\n\n\n                                Mission Critical Systems\n\nAs shown in Exhibit No. 2, the FEC is reporting sixteen computer systems as critical to\naccomplishing the agency\xe2\x80\x99s mission. A mission critical system is defined as any system\nthat, should it fail due to the lack of Y2K readiness, the agency will not be able to perform\nits stated mission. In addition to identifying the mission critical systems, Exhibit No. 2\nalso shows the status for each system.\n\nIn its strategic plan, the FEC describes its mission this way: \xe2\x80\x9cThe ultimate mission of the\nFEC is to assure that the campaign finance process is open, fully disclosed and fairly\nenforced, fostering the electorate\xe2\x80\x99s faith in the ultimate fairness of the nation\xe2\x80\x99s political\nprocess.\xe2\x80\x9d Maintaining current and accurate data in its computerized reporting systems is\ncentral to the FEC achieving its mission.\n\n\n                                        Exhibit No. 2\n                          Status of Mission Critical Systems\n                    As Reported by the Federal Election Commission\n\n   System                                   Renovated        Tested          Current Status\n\n   Accounting                               Yes              Yes             Implemented\n   Disclosure                               Yes              Yes             Implemented\n   3rd Party Software                       No               No              In-Process\n   Hardware(3rd Party & FEC Owned)          No               No              In-Process\n   Imaging Micro Updating                   Yes              Yes             Implemented\n   Information                              Yes              Yes             Implemented\n   Mailroom                                 Yes              Yes             Implemented\n   Matching Funds Processing                Yes              Yes             Implemented\n   OGC Tracking                             Yes              Yes             Implemented\n   Open/Closed Minutes Comm. Sec.           Yes              Yes             Implemented\n   Payroll                                  Yes              Yes             Implemented\n   Personnel                                Yes              Yes             Implemented\n   Planning & Management                    Yes              Yes             Implemented\n   Press                                    Yes              Yes             Implemented\n   RAD                                      Yes              Yes             Implemented\n   Teamlinks /Lotus Notes                   Yes              Yes             Implemented\n\n\n   Source: \xe2\x80\x9cReport on Year 2K Remediation\xe2\x80\x9d The Federal Election Commission, dated February 12,\n   1999.\n\n\n\n\n                                                4\n\n\x0cBackground                                                       Final Audit Report No. 98-08\n\n\n                The Y2K Project at the FEC Gains Momentum\n\nDocumentation shows that the FEC began to recognize the potential impact of the Y2K\n\nproblem on future operations, in early 1997. For instance, On March 6, 1997 in a\n\ntransmittal to the Honorable Bob Livingston, Chairman of the House Committee on\n\nAppropriations, the FEC provided Chairman Livingston with its Automated Data\n\nProcessing Strategic Plan for Fiscal Years 1997-2002. In that same transmittal, a cover\n\nletter signed by the Chairman of the FEC listed specific agency computerization\n\ninitiatives requiring future funding considerations. One of these initiatives was the Y2K\n\nissue.\n\n\nAdditionally, during 1997 numerous electronic mail messages issued from the Staff\n\nDirector, continued to alert agency staff at the FEC of the pending Y2K problem. The\n\nStaff Director subsequently left the FEC at the end of July 1998. Agency awareness of\n\nthe problem culminated in the formation of a Y2K project team within the Data Systems\n\nDevelopment Division. The team\xe2\x80\x99s first initiative was to complete an agency-wide\n\ninventory of computer software for \xe2\x80\x9cin-house\xe2\x80\x9d developed programs. This inventory was\n\ndocumented in November 1997, prior to OMB\xe2\x80\x99s directive to small agencies.\n\n\nIn December 1998, the Y2K team reported that all in-house developed programming\n\ncode for systems scheduled to be in operation after January 1, 2000, had been repaired to\n\nrecognize a four digit century structure. Many of the renovated programs had also been\n\npartially or completely tested, and some implemented. During January 1999, the Y2K\n\nproject team began discussions with outside vendors to obtain independent verification\n\nand validation (IV&V) of Y2K renovations.\n\n\nOn February 12, 1999, the FEC issued the second of two mandatory Y2K reports required\n\nby OMB, detailing the current status of the agency\xe2\x80\x99s Y2K renovation efforts. As\n\npreviously stated, the FEC is reporting 100% of its mission critical software converted\n\nand tested. Based on the information provided by the FEC in its February 1999 report,\n\nOMB\xe2\x80\x99s 8th Quarterly Report issued during March 1999 summarized the agency\xe2\x80\x99s\n\nprogress as follows:\n\n\n       \xe2\x80\x9cMaking progress on IT systems. The agency is 100% complete in its\n       mission critical software conversion. Anticipated compliance in October.\n       FEC needs a business continuity and contingency plan. The verification\n       and validation plan is weak. FECs payroll and personnel systems will be\n       converted to National Finance Center in October 1999.\xe2\x80\x9d\n\n\n                    Audit Objective, Scope and Methodology\n\nWe conducted our audit to verify the reported progress of the Y2K renovation project at\nthe FEC, and to evaluate compliance with applicable laws and regulations. To\naccomplish our objectives, we used various methods of data collection including\n\n\n                                             5\n\n\x0cBackground                                                         Final Audit Report No. 98-08\n\n\ninterviews, surveys, and review of documents. Our audit was not limited solely to\nevaluating the agency\xe2\x80\x99s progress for preparing its mission critical systems, we also\nperformed a cursory review of the agency\xe2\x80\x99s overall state of readiness. To obtain a\nperspective on the adequacy of the FEC\xe2\x80\x99s Y2K project we used OMB directives, as well\nas guidance issued by GAO.\n\nThe GAO publication, \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide\xe2\x80\x9d which was\nfinalized in September 1997, had been released in draft in February 1997, and made\navailable as an added resource for Federal agencies to use in evaluating progress on their\nY2K system renovation projects. The GAO guide draws on the work of the CIO Council\nSubcommittee on Y2K, and incorporates guidance and practices identified by leading\norganizations in the information technology industry. The GAO guidelines contain five\nprimary phases, each listing key processes that should be accomplished in order to fully\ncomplete the phase. The five phases are: Awareness, Assessment, Renovation,\nValidation, and Implementation. In their Y2K quarterly reports to OMB, the FEC\naccepted the five phases listed in the GAO guidelines as, the solution framework the\nagency will use to resolve the Y2K issue. Exhibit No. 1, presents OMB milestone dates\nfor each of the five phases. All Federal agencies should have completed the majority of\nthe work for the last OMB milestone date, by March 1999.\n\nWe conducted our survey and fieldwork from December 1998 through March 1999, in\naccordance with generally accepted government auditing standards. The scope of our\naudit was agency-wide.\n\n                            Statement on Management Controls\n\nAs part of our audit, we assessed the system of management controls, policies,\nprocedures, and practices applicable to the FEC\xe2\x80\x99s management of the Y2K project. Our\nassessment was performed to determine the level of control risk for determining the\nnature, extent, and timing of our substantive tests to accomplish our objective.\n\nDue to inherent limitations, a study and evaluation made for the limited scope purposes\ndescribed above, would not necessarily disclose every material weaknesses or reportable\ncondition. However, we identified reportable conditions and recommended\nimprovements for the on-going management of the Y2K compliance effort. These\nconditions and their effects are fully described in the Audit Results section of this report,\nand in the management letter shown as Appendix D.\n\n\n\n\n                                               6\n\n\x0cAudit Results                                                           Final Audit Report No. 98-08\n\n\n\n                                        Audit Results\nIn February 1998, President Clinton issued an Executive Order which directs the head of\neach Federal agency to \xe2\x80\x9cassure that efforts to address the Y2K problem receive the\nhighest priority attention in each agency5.\xe2\x80\x9d Efforts at the FEC in recent months indicate\nprogress in preparing agency computer systems for the new millennium; however, the\nY2K project still has not evolved into an agency-wide team effort. During the course of\nour audit, we regularly briefed FEC officials on audit results and offered suggestions for\nimprovement. Because issues remain to be resolved, we recommend that the FEC:\n\n1.\t For the inventory of its data exchanges, ensure that the internal and external\n    dependency links between enterprise core business areas, processes, and information\n    systems are documented in detail.\n\n2.\t Communicate with each external data exchange partner regarding the Y2K issue, and\n    use the agency\xe2\x80\x99s WEB site as a means of keeping its public informed on the current\n    status of the Y2K problem.\n\n3.\t Update and issue the statement of work requiring Y2K compliant technology for the\n    product and services covered under the ADP contract, complete work on the agency\xe2\x80\x99s\n    internal network, and perform end-to-end testing using FEC data to ensure that the\n    communications network is fully Y2K compliant.\n\n4.\t In future Y2K reports issued to OMB, the FEC should include the computerized\n    communications network as a mission critical system and ensure that the total number\n    of mission critical systems reported conforms with OMB instructions.\n\n5.\t Develop adequate contingency plans for the communications network. In addition, we\n    suggest that the FEC instruct each of its program offices with a high level core\n    business function to submit contingency plans, so that the plans can be evaluated and\n    tested prior to January 1, 2000.\n\n6.\t The FEC FAXLINE System provides an important public service; therefore, we\n    recommend that the FEC perform end-to-end Y2K testing of that system to ensure an\n    uninterrupted continuation of service.\n\n7.\t Develop and issue the statement of work to obtain services for independent\n    verification of Y2K renovations.\n\n8.\t Conduct meetings with each division/office to reassess the number of mission critical\n    systems, as well as the level of verification obtained through user acceptance testing.\n    If user acceptance testing is to be relied upon as reported by the FEC, develop a\n\n\n5\n    \xe2\x80\x9cExecutive Order on Year 2000 Conversion\xe2\x80\x9d dated February 4, 1998.\n\n\n                                                   7\n\n\x0cAudit Results                                                   Final Audit Report No. 98-08\n\n\n    testing environment so system users can properly verify Y2K renovations and system\n    performance.\n\n9.\t Prepare a listing of all agency computer technology contracts, and review those\n    contracts to ensure that the appropriate Y2K language has been included in order to\n    comply with existing Federal regulations.\n\n\n                            Assessing Project Risk\nIn order to keep abreast of events relating to the Y2K renovation effort at the FEC, in\nearly 1998 the Office of Inspector General (OIG) began requesting information on the\nstatus of the agency\xe2\x80\x99s Y2K project. By the fall of 1998, the OIG changed from being a\npassive observer to taking a more active role through monitoring reported progress in the\nY2K renovation project. Our monitoring efforts included assessing by comparison, the\nY2K quarterly reports submitted by the FEC to OMB, and providing management with\nthe results of our analysis. To assist the FEC further in preparing computer systems for\nthe new millennium, the OIG subsequently became one part of a two prong approach for\nindependent verification and validation (IV&V) of agency-wide Y2K renovations.\nInitially, we had offered our services to assist with independent validation of system\ntesting; however, in December 1998 the FEC granted the Y2K project manager funding\nauthority to obtain IV&V services from an outside vendor. Consequently, the agreed\nupon role of the OIG would be to determine whether the progress reported by the FEC\nmatched its overall state of readiness. We placed special emphasis on two priority areas:\n1) systems that provide and receive electronic data from outside parties, and 2) core\nbusiness functions that rely on computer processed data.\n\nAs reported by OMB, the Clinton Administration is committed to ensuring that the Y2K\nproblem does not interfere with the services that the American people rely on. Therefore,\nduring our audit we identified systems, assigning the highest priority to those systems\nwhich transfer data to the public and systems that receive electronic data from outside\nsources. Although most of the core business functions within the agency rely heavily on\ncomputer processed data, we specifically identified six internal processes that either\ntransfer and/or receive electronic data from sources outside the FEC. These six processes\nare: 1) the electronic filing process used by external parties for campaign finance\nreporting, 2) public access through the Direct Access and State Access Programs, 3)\nelectronic data received by the Audit Division, including the Presidential public funding\nprogram, 4) the communications network which transfers the data and also provides for\nInternet access, 5) electronic transfer of accounting and payroll data, and 6) forms,\nschedules, and other documentation provided to the public through electronic data\ntransfer. Our audit assessed the risk associated with the Y2K renovation of the computer\nsystems within these critical areas, and we offer recommendations which we feel will\nreduce the agency\xe2\x80\x99s exposure to the Y2K problem.\n\n\n\n\n                                            8\n\n\x0cAudit Results                                                                Final Audit Report No. 98-08\n\n\nRisk is inherent in any renovation project. One common technique used to assess risk in a\nsystem development or renovation project is to analyze diagrams that chart the flow of\nelectronic data through the system. OMB previously asked each Federal agency, having\nany data exchange with outside sources, to inventory those exchanges. In its directive to\nsmall Federal agencies issued in March 1998, OMB established a goal of February 1, 1998\nfor completing that data exchange inventory, and March 1, 1998 to communicate with\neach exchange partner regarding the Y2K problem.6 While the Y2K project team had\ncompleted an inventory of the agency\xe2\x80\x99s internally developed software programs; upon our\nrequest they were unable to provide a documented inventory of external data exchanges or\nany corresponding data flow diagrams. To address interface and data exchange issues in\nits \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide\xe2\x80\x9d published in September 1997,\nthe GAO recommends \xe2\x80\x9cdeveloping a model showing the internal and external\ndependency links between enterprise core business areas, processes, and information\nsystems.\xe2\x80\x9d Similar to OMB\xe2\x80\x99s directives, the GAO guidelines also recommend \xe2\x80\x9cnotification\nof all outside data exchange entities\xe2\x80\x9d as well as \xe2\x80\x9cthe need for data bridges and filters.\xe2\x80\x9d7\n\nEven when all internal computer systems at the FEC are Y2K renovated, without effective\nprevention efforts there is always a risk that data received from external providers which\nhas been processed, summarized, and transferred from a system not Y2K compliant might\npopulate internal systems with corrupt data. In order to block transfer of non-compliant\ndata, an industry practice is to develop and install front-end filters and system edit checks.\nWhere to install filters and edit checks capable of protecting agency computer systems\nwithout unnecessarily restricting the transfer of data, can be determined from locating and\nidentifying date fields. In addition, the proper placement of sender notification\nprocedures, such as electronic error messaging with standby instructions can be\ndetermined by analyzing data flow.\n\nAudit Recommendation No. 1: We recommend that for the inventory of its data\nexchanges, the FEC ensure that the internal and external dependency links between\nenterprise core business areas, processes, and information systems are documented in\ndetail.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 1: \xe2\x80\x9cAll data exchanges,\nboth inside and outside have been inventoried and mapped.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 1: The\nOIG considers management in agreement with the recommendation and have taken steps\nto implement corrective action.\n\n\n\n\n6\n  \xe2\x80\x9cProgress Reports on Fixing Year 2000 Difficulties for Small Agencies,\xe2\x80\x9d OMB Memorandum for the\nHeads of Selected Agencies, dated March 9, 1998.\n7\n  A data bridge is essentially software code that will transform electronic source data into a compatible\nformat acceptable to the receiving program or system.\n\n\n                                                     9\n\n\x0cAudit Results                                                                      Final Audit Report No. 98-08\n\n\n                    Campaign Finance Disclosure System Overview\n\nThe Disclosure System, appropriately named since it discloses campaign finance reports to\nthe public, receives electronic data from outside sources. Developed in-house by agency\nprogramming staff, the Disclosure System is a complex mix of hardware platforms and\nsoftware programs comprised of many different computer languages. It is the primary\nrepository for millions of campaign finance records received each year from candidates,\npolitical committees, and political parties participating in Federal elections. The\nDisclosure System is capable of both receiving and transmitting electronic data through\neither a dedicated modem using the telecommunications medium (X.25), or via Internet\nprotocol (TCP/IP).\n\n    Exhibit No. 3\n           Electronic Exchange of Federal Campaign Finance Information\n\n\n\n\n                            Candidates,\n                TCP/IP                         Hard Copy, or Data\n                or X.25\n                          Committees, and                  Diskette\n                          Political Parties\n\n\n\n\n      Electronic Filing                            Data Input\n\n\n\n\n                             WEB Site\n                                                                         Disclosure Data Base\n                          www.fec.gov\n\n\n\n\n                                                       Direct Access &                          Public Records\n                                                        State Access                               Facility\n                                                          Programs                              Washington D.C.\n\n\n                                                                          X.25\n\n\n\n\n                                              TCP/IP\n                                                                          The Public\n\n\n\n\n      Source: The Federal Election Commission\n\n\nCandidates and committees submit campaign finance information either through an\nelectronic filing process, by data diskette, or in document form. As part of our audit\nprogram, we conducted interviews with agency staff and constructed a data flow diagram\n\n\n                                                       10\n\n\x0cAudit Results                                                           Final Audit Report No. 98-08\n\n\nfor disclosure of campaign finance information (see Exhibit No. 3). The FEC provides\ncampaign finance information free of charge on the WEB. In addition, the public has free\naccess to this information at the Public Records Facility at offices located in Washington,\nDC. Users requiring more detailed information about candidates, parties, and political\naction committees either subscribe on-line to the Direct Access Program, or in the case of\nState election offices obtain free access through the State Access Program.\n\nData from the electronic filing process is submitted directly into either the agency\xe2\x80\x99s WEB\nsite or the Disclosure Data Base. The electronic filing software available from the FEC\nwas built Y2K complaint. According to the FEC, during January 1999 the Y2K renovated\nversion of the Disclosure Data Base scheduled to be in operation in the year 2000, has\nbeen fully implemented along with both the Direct Access and State Access Programs.\n\nFully Y2K compliant is defined by the Federal Acquisition Regulations as information\ntechnology that, \xe2\x80\x9caccurately processes date/time data (including, but not limited to,\ncalculating, comparing, and sequencing) from, into, and between the twentieth and\ntwenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the\nextent that other information technology, used in combination with the information\ntechnology being acquired, properly exchanges date/time with it8.\xe2\x80\x9d\n\nAlthough the FEC is currently reporting the Disclosure System as completely converted,\ntested, and implemented; it does not operate independently. For example, without a Y2K\ncompliant communications system, the FEC will not be able to conduct \xe2\x80\x9cend-to-end\xe2\x80\x9d\nsystem testing to ensure full Y2K compliance, as defined by Federal regulations. The\ncommunications network in conjunction with end-to-end testing are discussed later in this\nreport. In addition, data filters and bridges will need to be tested to ensure that only Y2K\ncompliant data is permitted to integrate with the Disclosure System and the agency\xe2\x80\x99s\nWEB site.\n\n                     The Presidential Public Funding Program\n\nThe Audit Division evaluates the matching fund submissions of Presidential candidates and\ndetermines the amount of contributions that may be matched with Federal funds. Federal\nregulations require that for any data submitted for the Presidential public funding program\nwhich is generated directly or indirectly from computerized files or records, the candidate\nshall submit a copy of the contributor list on magnetic media.9 The FEC has established\nand published filing format specifications for the data sent via magnetic tape.10 The date\nfields in the current version of the specifications are shown in a six digit format\n(YY/MM/DD). According to staff within the Audit Division, the documentation is\nscheduled to be updated prior to the 2000 Presidential election cycle. Data received by\nthe Audit Division for the Presidential public funding program is first reviewed by agency\n\n8\n  \xe2\x80\x9cFederal Acquisition Regulation; Year 2000 Compliance\xe2\x80\x9d, dated August 22, 1997.\n9\n  Title 11, of the Code of Federal Regulations (CFR), section 9036.1(b)(2).\n10\n   \xe2\x80\x9cFinancial Control and Compliance Manual, For Presidential Primary Candidates Receiving Public\nFinancing.\xe2\x80\x9d Federal Election Commission, dated January 1996.\n\n\n                                                 11\n\n\x0cAudit Results                                                    Final Audit Report No. 98-08\n\n\nstaff before it is ever integrated into an internal computer system. This substantially\nreduces the risk that non-compliant Y2K data will inadvertently be input into an agency\ndatabase.\n\nHowever, the Audit Division also gathers information from candidates, committees, and\npolitical parties selected for an examination of their campaign finance activities. This\ninformation may be received on magnetic tape, or on data diskette, or as a flat file sent\nthrough the Internet. Audit staff we interviewed were unaware of any established\ncommunications to notify data exchange partners of the potential problems to either\nthemselves or the FEC, if non-compliant Y2K date fields are transferred.\n\n\n                    The FEC Needs Y2K Outreach Program\n\nAs previously stated, in March 1998 OMB established milestone dates for every small\nFederal agency to communicate with each of their external data exchange partners\nregarding the Y2K problem. During calendar year 2000, thousands of candidates,\ncommittees, and political parties will be eligible to exchange electronic data with the FEC.\nThe Office of Election Administration (OEA) at the FEC does assist state and local\nelection officials by responding to inquiries, publishing research and conducting\nworkshops on all matters related to election administration. In addition, the OEA briefs\nforeign delegations on the U.S. election process, including voter registration. In this\ncapacity, OEA has designed into their outreach program notification to all 50 State\nelection officials of the potential risk involved in running unverified automated elections\nsystems in the year 2000.\n\nHowever, agency outreach efforts to date have not included notification to all eligible\nexternal data providers of the potential consequences of sending non-compliant electronic\ndata to the FEC. In its April 1998 Y2K quarterly report to OMB, the FEC stated that it\noriginally intended \xe2\x80\x9cto begin alerting its customer base starting in June 1998, of the\nformat changes and the implementation schedule.\xe2\x80\x9d The report also stated that the FEC\nwould use the mail to contact all subscribers using the Direct Access Program, after that\nprogram was fully implemented on January 1, 1999. In discussions with the Y2K project\nteam during January 1999, the project manager stated that the FEC no longer intends to\ncontact its customer base regarding issues specific to the Y2K problem. According to the\nY2K project manager, this change of policy is due partly to the fact that the FEC\nelectronic filing software was developed Y2K compliant and is made available free of\ncharge. In addition, although electronic filers do not have to use the FEC developed\nsoftware, those that acquire custom designed programs must first be individually validated\nbefore they can send electronic data to the FEC. Electronic filers are provided with filing\nformats as well as a password. Therefore the FEC concludes, it is not necessary to notify\neach eligible electronic filer of issues relating specifically to the Y2K problem, and the\nissue was dropped from the February 1999 Y2K report to OMB.\n\n\n\n\n                                             12\n\n\x0cAudit Results                                                    Final Audit Report No. 98-08\n\n\nWe believe that this logic runs contrary to the Y2K directive issued by OMB requiring all\nFederal agencies to establish communications with each external data partner regarding\nthe Y2K issue, no later than March 1, 1998. First of all, electronic filers are not the\nagency\xe2\x80\x99s only data exchange partners. Also, in order to successfully exchange electronic\ndata between two computer systems, there must be a similar file format; or if not, at least\na software bridge to accommodate dissimilar formats. Second, no system administrator is\ngoing to allow an outside entity to exchange data without obtaining proper access rights.\nTherefore, for the electronic filing process, the FEC is simply following standard\nprocedures required under normal operating conditions, and not communicating with each\ndata exchange partner on how to fix the Y2K problem, as requested by OMB.\n\nAs shown previously in Exhibit No. 3, the FEC maintains an Internet WEB site. In\naddition to providing public access to Federal campaign information, this site provides a\nhost of general information relating to the FEC. This information includes instructions on\nelectronic filing in order to assist software developers and programmers when converting\nexisting programs to conform to the electronic filing system. Early in our audit, we\nsuggested to the Y2K project team that the WEB site could be used to keep the agency\xe2\x80\x99s\npublic current regarding the Y2K problem.\n\nAudit Recommendation No. 2: We recommend that the FEC communicate with each\nexternal data exchange partner regarding the Y2K issue, and use the agency\xe2\x80\x99s WEB site as\na means of keeping its public informed on the current status of the Y2K problem.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 2: \xe2\x80\x9c\xe2\x80\xa6we have\ncommunicated guidance on the Website and in the Direct Access Program login header.\nAdditionally, we will contact those known entities who are involved in providing software\nto the electronic filing community and alert them to this requirement.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 2: The\nOIG considers management in agreement with the recommendation and have taken steps\nto implement corrective action.\n\n\n                            Financial System Overview\n\nComputer systems at the FEC maintain and process personnel and accounting data for an\nagency staff of over 300 full-time employees, and a budget of more than $30 million. The\nfinancial system is essentially composed of three integrated computerized systems:\npersonnel, payroll, and accounting.\n\nThe flow of electronic information within the financial system starts with the personnel\nsystem which transfers data to the payroll system. From the payroll system, data is then\nsent to the accounting system. Both accounting and payroll data is subsequently\ntransferred to the U.S. Department of Treasury (Treasury). This simple flow of\ninformation is shown in Exhibit No. 4.\n\n\n                                            13\n\n\x0cAudit Results                                                             Final Audit Report No. 98-08\n\n\n\n\nExhibit No. 4\n                     Electronic Data Exchange for the Financial System\n\n      FEC Personnel System\n\n\n\n\n                             FEC Payroll System\n\n\n\n\n                                                  FEC Accounting System      U.S. Department of Treasury\n\n\n\n\n Source: The Federal Election Commission\n\nCurrently, the financial system receives no electronic data from sources outside of the\nFEC. The data exchange with Treasury is accomplished through system software supplied\nto the FEC by the Treasury. The data exchange process to Treasury begins with FEC\nstaff downloading accounting and payroll data onto a data diskette; manually transferring\nthe diskette to a desktop computer; uploading the data into the Treasury supplied\nsoftware; and completing the transfer.\n\nThe FEC intends to outsource both the personnel and payroll systems to the National\nFinance Center (NFC). In its August 1998 quarterly report to OMB, the FEC stated that\nthe transfer of the two systems would not be completed until at least October of 1999.\nThe FEC had hoped to migrate these two systems to the NFC much earlier, but the\ntransfer was delayed due to the NFC dealing with its own Y2K problems. Because of the\nrisk associated with the late transfer of these two systems, the FEC decided to go ahead\nand renovate both systems. Consequently, each individual component of the financial\nsystem has now been Y2K renovated. However, these integrated systems also use the\ncommunication network, and as discussed below that system is not fully Y2K compliant.\n\n\n                 Communications Network Not Fully Compliant\n\nAs reported by the FEC, its telecommunications fall into two major categories: 1)\ncommunications associated with the telephone system, and 2) communications associated\nwith computer data. This latter grouping is further sub-divided into communications\nprovided through an ADP contractor, communication services provided by an electronic\nfiling contractor, and the internal communications network operated and maintained by the\nagency\xe2\x80\x99s information technology staff. While the electronic filing contractor is reporting\ntheir services as Y2K compliant, the current ADP contract has no provisions requiring the\nvendor to be compliant; furthermore, the contract is scheduled to expire during June 1999.\n\n\n                                                       14\n\n\x0cAudit Results                                                    Final Audit Report No. 98-08\n\n\nIn addition, while the Y2K project team is in the process of renovating the internal data\ncommunications environment, work remains to be done.\n\nAs part of our audit fieldwork, we reviewed the ADP services contract. Products and\nservices provided through the ADP contractor include Internet services, as well as\ncommunication software and computer hardware. The statement of work for the current\ncontract was issued on November 9, 1992, with vendor proposals due by February 1,\n1993. After detailed evaluation of each vendor response, the contract was subsequently\nawarded on June 3, 1993. It took approximately eight months to award the 1993\ncontract, which did not include the time required to develop the statement of work prior\nto its issuance. The contract was awarded for services to cover a 72 month period, with\nthe agency having an automatic \xe2\x80\x9cright of extension\xe2\x80\x9d of vendor supplied products and\nservices to the 78th month. This could extend the contract on a month-to-month basis at\nthe option of the FEC through December 1999. While the Y2K project manager\nanticipates awarding a contract proposal during 1999 for communication services similar\nto those provided under the 1993 contract including provisions for the vendor to\ndemonstrate the product and services, to date there has been no statement of work issued\nfor a new contract.\n\nIn its February 1999 Y2K report to OMB, the FEC states: \xe2\x80\x9cAlthough the ADP contractor\nis responsible for a major application, whether or not they are Y2K compliant at this\njuncture is not relevant.\xe2\x80\x9d However, in its publication, \xe2\x80\x9cYear 2000 Crisis: A Testing\nGuide\xe2\x80\x9d issued in November 1998 the GAO takes a diametrically opposite position, as\nfollows:\n\n        \xe2\x80\x9cIn order to execute end-to-end testing and ensure that all systems in the\n        chain of support to core business areas function as intended, the\n        telecommunications infrastructure that interconnects the systems must be\n        compliant and ready for testing. Ensuring that the vendor-supported\n        components of the telecommunications infrastructure are compliant is a\n        process that should have begun as part of establishing the test\n        infrastructure. By now this process should have been completed for all\n        telecommunications systems.\xe2\x80\x9d\n\nIn its March 1998 \xe2\x80\x9cMemorandum to the Heads of Small Agencies,\xe2\x80\x9d OMB stated: \xe2\x80\x9cAll\nFederal agencies must be prepared to make a smooth transition through the year 2000.\xe2\x80\x9d\nLate delivery of a Y2K compliant communications network presents a substantial risk for\nresolving the agency\xe2\x80\x99s Y2K problem. Not only may there not be enough time for the\nagency to adequately test vendor products and services, but also mandatory end-to-end\ntesting of systems which exchange or transfer data through the network may not be\ncompleted in time. In its \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide,\xe2\x80\x9d GAO\nstates: \xe2\x80\x9cThe purpose of end-to-end testing is to verify that a defined set of interrelated\nsystems, which collectively support an organizational core business area or function,\ninteroperate as intended in an operational environment (either actual or simulated).\xe2\x80\x9d\nLate renovation of the FEC\xe2\x80\x99s communication network could mean that end-to-end testing\n\n\n                                            15\n\n\x0cAudit Results                                                     Final Audit Report No. 98-08\n\n\nof Y2K renovations will be delayed; or worse, not done at all. Therefore, it is essential to\nformulate an immediate strategy to address this critical issue.\n\nAudit Recommendation No. 3: We recommend that the FEC update and issue the\nstatement of work requiring Y2K compliant technology for the product and services\ncovered under the ADP contract, complete work on the agency\xe2\x80\x99s internal network, and\nperform end-to-end testing using FEC data to ensure that the communications network is\nfully Y2K compliant.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 3: \xe2\x80\x9cThe CBD Notice for\nRFP9902 (Information Technology) was issued on April 13, 1999. The RFP is expected\nto be available April 26, 1999 with an estimated award date of late August. Complete\nimplementation, including 30 day minimum parallel and Y2K testing is expected to be\naccomplished by November 30, 1999.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 3: Of\nspecial concern in management\xe2\x80\x99s response is the uncertainty surrounding the scheduled\nlate implementation of the Information Technology contract (commonly referred to as the\n\xe2\x80\x9cADP contract\xe2\x80\x9d), which provides computer services for / between the FEC and the central\ncomputer facility housing the Disclosure Database. As stated, agency officials only expect\nY2K testing on that contract to be accomplished by November 30, 1999. This is much\nlater than established government-wide milestone dates and presents a significant risk to\nthe FEC.\n\n\n         Inconsistency in Reporting Total Mission Critical Systems\n\nFor OMB reporting purposes, the FEC does not currently include the communications\nnetwork in the count for total mission critical systems. Yet, the FEC describes the\ncommunications system as a \xe2\x80\x9cmajor application\xe2\x80\x9d in its February 1999 Y2K report. OMB\nhas published guidelines recommending that agency computer systems be classified as\neither mission critical or non-mission critical. OMB has consistently requested that\nagency\xe2\x80\x99s provide a status on the total number of mission critical systems, so that the\nAdministration can issue accurate progress reports on fixing the Y2K problem in Federal\nsystems to the American people.\n\nIn addition, OMB has requested that mission critical systems be reported as compliant; or\nif not compliant, classified as being replaced, repaired, or retired. In its February 1999\nY2K report to OMB, the FEC is reporting the total number of mission critical systems as\nsixteen, yet the number of mission critical systems listed within the report as compliant,\nreplaced, repaired, and retired actually adds up to a total of eighteen systems. This\ninconsistency, as depicted in the following table taken from the February 1999 FEC Y2K\nreport, has caused some confusion.\n\n\n\n\n                                             16\n\n\x0cAudit Results                                                             Final Audit Report No. 98-08\n\n\n     Total number of           Number          Number to be       Number to be       Number to be\n     Mission-Critical         Compliant         Replaced           Repaired            Retired\n        Systems\n            16                     14                 3                  1                  0\n\n\nIn its March 1998 directive entitled \xe2\x80\x9cMemorandum to the Heads of Small Agencies\xe2\x80\x9d OMB\nrequests that, \xe2\x80\x9cFor this table, the four right-hand columns (\xe2\x80\x9cNumber Compliant,\xe2\x80\x9d\n\xe2\x80\x9cNumber Being Replaced,\xe2\x80\x9d \xe2\x80\x9cNumber Being Repaired,\xe2\x80\x9d \xe2\x80\x9cand Number Being Retired\xe2\x80\x9d)\nmust add up to the left-hand column (\xe2\x80\x9cTotal Number of Mission-Critical Systems\xe2\x80\x9d).\xe2\x80\x9d\nConsequently, in its most recent quarterly report, OMB has identified the FEC as having\neighteen mission critical systems; when in fact, the FEC is only currently reporting sixteen\nmission critical systems. In that report, OMB issued new reporting requirements asking\neach small Federal agency that has not fully completed their Y2K renovation work, to\nbegin reporting quarterly to OMB on their progress11. This means that the FEC will need\nto issue its next Y2K progress report to OMB on May 15, 1999.\n\nAudit Recommendation No. 4: We recommend that in future Y2K reports issued to\nOMB, the FEC include the computerized communications network as a mission critical\nsystem and ensure that the total number of mission critical systems reported conforms with\nOMB instructions.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 4: \xe2\x80\x9cWith regards to FEC\nowned internal communications equipment, the FEC will make every effort to ensure Y2K\ncompliance.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 4:\nManagement states that every effort will be made to ensure the FEC owned internal\ncommunications equipment is Y2K compliant. However, management\xe2\x80\x99s comments are\nnon-responsive to our recommendation to include the computerized communications\nnetwork as a mission critical system and ensure that the total number of mission critical\nsystems reported conforms with OMB instructions.\n\n\n                          The FEC Needs Contingency Planning\n\nContingency plans ensure the continuity of core business processes. Theoretically with\nadequate contingency planning a mission critical system could fail, yet the FEC would still\nbe able to accomplish its mission. On the other hand, without a well designed contingency\nplan the failure of the one major system, such as the agency\xe2\x80\x99s communications network,\ncould disrupt operations for the entire organization. During 1998, OMB asked each\nFederal agency to identify all mission critical systems not expected to be fully Y2K\ncompliant by March 1999, and also report the date that a corresponding contingency plan\n\n11\n     \xe2\x80\x9c8th Quarterly Report: Progress on Year 2000 Conversion,\xe2\x80\x9d issued by OMB on March 18, 1999.\n\n\n                                                   17\n\n\x0cAudit Results                                                      Final Audit Report No. 98-08\n\n\nwould be in place. The FEC has reported that it is still in the process of both renovating\nits own data communications environment and ensuring that the ADP communications\ncontract is compliant. Additionally, OMB has repeatedly requested that contingency plans\nfor high-level core business functions be completed and tested.12 In its February 1999\nY2K quarterly report to OMB, the FEC simply states, \xe2\x80\x9cDuring the remaining months of\ncalendar year 1999, the FEC will develop a contingency plan for the remote possibility\nthat the computer systems become inoperable.\xe2\x80\x9d In its 8th Quarterly Report issued during\nMarch 1999, OMB expressed the following concerns regarding the FEC\xe2\x80\x99s Y2K project:\n\n        \xe2\x80\x9cMaking progress on IT systems. The agency is 100% complete in its\n        mission critical software conversion. Anticipated compliance in\n        October. FEC needs a business continuity and contingency plan. The\n        verification and validation plan is weak. FECs payroll and personnel\n        systems will be converted to National Finance Center in October\n        1999.\xe2\x80\x9d\n\nAudit Recommendation No. 5: We recommend that the FEC develop adequate\ncontingency plans for its communications network. In addition, we suggest that the FEC\ninstruct each of its program offices with a high level core business function to submit\ncontingency plans, so that the plans can be evaluated and tested prior to January 1, 2000.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 5: \xe2\x80\x9cFor the\ncommunications network, the FEC will review its current procedures for addressing a\ncommunications network failure. A contingency plan will be developed to address such a\nfailure in the event it should occur. Preliminary discussions regarding this issue have\nbeen held. A formal plan is scheduled to be developed.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 5: In\nregards to management\xe2\x80\x99s comments on contingency planning, it is noted that the FEC has\nheld preliminary discussions regarding this issue and a formal plan is scheduled to be\ndeveloped; however, recent OMB testimony before Congress indicates that all Federal\nagencies are expected to submit business continuity and contingency plans by June 15,\n1999. Therefore, we believe that the FEC should strongly consider the contributions and\nsuggestions offered in Finding Number 1, of our Management Letter shown in Appendix\nD of this report. These suggestions include using an electronic supplied version of a\nbenchmark comprehensive Y2K plan as the foundation for developing an FEC-wide team\neffort for contingency planning and staff involvement.\n\n\n\n\n12\n  \xe2\x80\x9cRevised Reporting Guidance on Year 2000 Efforts\xe2\x80\x9d OMB M-99-09, Memorandum for the Heads of\nSelected Agencies, dated January 26, 1999.\n\n\n                                              18\n\n\x0cAudit Results                                                     Final Audit Report No. 98-08\n\n\n\n\n           FEC FAXLINE System Not Scheduled for Y2K Testing\n\nThe Public Disclosure Division processes incoming campaign finance reports from\npolitical committees and candidates involved in Federal elections, and makes those reports\navailable to the public in paper form, on microfilm, and through digital computer images.\nThe division also manages the FEC FAXLINE System, an automated faxing service which\ntransfers electronic information to the public. The FEC FAXLINE System has over 440\ndocuments and publications available for immediate transmission. Materials available\nthrough this service include the forms necessary to report Federal campaign finance\nactivities. In each of its quarterly reports assessing the progress of Y2K renovations in the\nFederal sector, OMB has stated that the Clinton Administration is committed to ensuring\nthat the American people will continue to receive the services they rely on and government\nservices will not be disrupted by the transition to the year 2000.\n\nDuring February 1999, the Public Disclosure Division implemented a new FEC FAXLINE\nSystem that was developed Y2K compliant and is supported through a contract with an\noutside vendor. The system consists primarily of a host computer installed with\nsupporting software, and a twelve hour back-up power unit. The FEC FAXLINE System\nis not connected directly to the FEC communications network, instead data is delivered\nthrough eight dedicated phone lines. The FEC FAXLINE System also maintains a\ndedicated diagnostic phone line used by the vendor to troubleshoot the system. According\nto the Y2K project team, no plan is being considered to have the FEC FAXLINE System\ntested from end-to-end specifically for Y2K compliance. When interviewed, the Y2K\nproject manager maintains that the only risk to the public is to have an invalid time stamp\nplaced on the document received. Without end-to-end testing to include the supporting\ntelecommunications infrastructures, the full consequences will remain unknown.\n\nAudit Recommendation No 6: The FEC FAXLINE System provides an important\npublic service; therefore, we recommend that the FEC perform end-to-end Y2K testing of\nthat system to ensure an uninterrupted continuation of service.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 6: \xe2\x80\x9cWe agree that the\nFAXLine should be tested, and that the system should be communicated directly to the\npublic records office.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 6: The\nOIG considers management in agreement with the recommendation and will take steps to\nimplement corrective action.\n\n\n\n\n                                             19\n\n\x0cAudit Results                                                      Final Audit Report No. 98-08\n\n\n\n\n            Independent Verification of Y2K Renovations Needed\n\nOMB has asked each Federal agency \xe2\x80\x9cto assure independent verification that systems are\nfixed and to assure that information reported is accurate.\xe2\x80\x9d13 During December 1998, the\nY2K project team and the OIG entered into a cooperative agreement for verification and\nvalidation of agency-wide Y2K renovations. The agency\xe2\x80\x99s plan would consist of a two\nprong approach: 1) the agency would contract with an outside vendor for verification of\nY2K renovations, and 2) the OIG would compare the agency\xe2\x80\x99s reported progress to its\nactual state of readiness with particular emphasis placed on mission critical systems that\nexchange data electronically with the public. It was not until December 1998 that the FEC\ngranted the Y2K project manager the funding authority to obtain IV&V services from an\noutside vendor. Although the Y2K project team continues in discussions with potential\nvendors, the FEC still has not awarded a contract for IV&V testing of agency-wide Y2K\nrenovations.\n\nIn the first paragraph of its February 1999 Y2K report to OMB, the FEC asserts that\n\xe2\x80\x9c100% of the FEC\xe2\x80\x99s mission critical software has now been renovated and tested.\xe2\x80\x9d If the\nreader did not scrutinize the report further, we believe that this statement by itself might\nlead the reader to an invalid conclusion that progress in the renovation and testing effort\nhas reached a level, which in fact has not been achieved. For instance, as explained later in\nthe body of the February 1999 Y2K report, while system testing has been completed on\nthe Disclosure System, other testing has yet to be concluded. In addition, testing of\ncomputer hardware and 3rd party software remain, both systems are listed as mission\ncritical. It should be noted that additional software renovations along with system testing\nmay be necessary as a result of feedback received from the proposed IV&V process. Also\nas described next, our audit results show that user acceptance testing has fallen far short of\nthe expected outcome. Without immediate action, there is a risk that that the FEC will not\nbe able to validate and verify Y2K renovations and testing in time.\n\nAudit Recommendation No. 7: We recommend that the FEC develop and issue the\nstatement of work to obtain services for independent verification of Y2K renovations.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 7: \xe2\x80\x9cYour\nrecommendation\xe2\x80\xa6was implemented April 19, 1999 via a contract with SEEC, Inc. In\norder to ensure independent verification, validation will be accomplished at the vendor\nsite.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 7: The\nOIG considers management in agreement with the recommendation and is taking\nappropriate steps to implement the recommendation. While verification of code at the\nvendor\xe2\x80\x99s site provides a degree of assurance that due diligence was performed by the\n\n13\n  \xe2\x80\x9cRevised Reporting Guidance on Year 2000 Efforts\xe2\x80\x9d OMB-M-98-12, Memorandum for the Heads of\nSelected Agencies, dated July 22, 1998.\n\n\n                                              20\n\n\x0cAudit Results                                                         Final Audit Report No. 98-08\n\n\nagency in repairing programming code; it should also be pointed out that the vendor\nusually will not attest to the level of compliance. Consequently, the method recommended\nby both OMB and the GAO to ensure code compliance, as well as the reliability of other\nY2K renovations including computer hardware and communication software, is through\nend-to-end testing of each system.\n\n                 User Acceptance Testing Not Meeting Expectations\n\nDuring our early discussions with the Y2K project team, we were informed that the FEC\nwas relying on user testing to verify Y2K renovations after the converted systems were\nimplemented. The GAO guidelines define acceptance testing as the process, \xe2\x80\x9cto verify\nthat the complete system (i.e., the full complement of application software running on the\ntarget hardware and systems software infrastructure) satisfies specified requirements\n(functional, performance, and security) and is acceptable to end users.\xe2\x80\x9d14 In both the\nAugust 1998 and February 1999 Y2K reports and using almost identical wording, the\nFEC states: \xe2\x80\x9cBy bringing each program on-line as it is repaired or converted we utilize\nthe best testing environment available, the actual user of the programs.\xe2\x80\x9d While the\nnormal operating environment may provide assurance that Y2K changes have not\nintroduced errors to adversely affect the functionality of a particular computer program;\nwithout structured technical assistance there can be no guarantee that critical future dates\nwill actually be tested by the users of the system. In addition, GAO guidelines recommend\nthat initial acceptance testing be part of the validation phase, prior to implementation of\nthe renovated system.15 To determine whether the user environment provided assurance\nthat Y2K renovations were complete and adequate, we surveyed the users of each mission\ncritical computer system reported by the FEC as implemented.\n\nDuring February 1999, we sent a user survey (see Appendix A) to each of the twelve\ndivisions/offices responsible for the sixteen reported mission critical systems, so that we\ncould determine the effectiveness of user acceptance testing. Except for computer\nhardware and 3rd party software applications, the FEC is currently reporting all other\nmission critical computer systems as fully Y2K renovated and in operation. Of the\nfourteen mission critical systems reported by the FEC as completely renovated and\nimplemented, only a single system was reported as receiving a thorough user acceptance\ntest. Nine divisions/offices reported either performing no user acceptance testing, or only\nincidental testing as a by-product of routine operations. One of the division/offices\nresponded that their system was not yet Y2K compliant. One office did not respond to\nour survey.\n\nIt was evident from the survey results, users have not received adequate technical\nassistance to perform acceptance testing. In addition, some divisions/offices listed by the\nFEC as having responsibility for a mission critical system were not sure whether they\n\n\n\n14\n     \xe2\x80\x9cYear 2000 Computing Crisis: A Testing Guide\xe2\x80\x9d GAO, dated November 1998.\n15\n     \xe2\x80\x9cYear 2000 Computing Crisis: An Assessment Guide\xe2\x80\x9d GAO, dated September 1997.\n\n\n                                                 21\n\n\x0cAudit Results                                                            Final Audit Report No. 98-08\n\n\noperated a mission critical system, or not. Furthermore, the responses from two\ndivisions/offices indicated that they didn\xe2\x80\x99t have a mission critical system.\n\nAudit Recommendation No. 8: We recommend that the Y2K project team conduct\nmeetings with each division/office to reassess the number of mission critical systems, as\nwell as the level of verification obtained through user acceptance testing. If user\nacceptance testing is to be relied upon as reported by the FEC, develop a testing\nenvironment so system users can properly verify Y2K renovations and system\nperformance.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 8: \xe2\x80\x9cIn order to complete\nthe remediation of computer programs at the FEC, the following steps occurred:\n        1) Programs were copied\n        2) Those copied programs were replaced, remediated or retired\n        3) Updated programs were fully tested and put back into operation\nBased on the above, the FEC has completed 100% of all programs identified as mission\ncritical per our most recent OMB report.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 8:\nManagement\xe2\x80\x99s comments do not address our recommendation. We recommend that the\nY2K project team conduct meetings with each division/office to reassess the number of\nmission critical systems, as well as the level of verification obtained through user\nacceptance testing. In addition, if user acceptance testing is to be relied upon as reported\nby the FEC, management should develop a testing environment so system users can\nproperly verify Y2K renovations and system performance.\n\n\n                       Compliance with Laws and Regulations\n\nAs previously stated, according to Federal regulations all Federal agencies have been\ndirected to notify each contractor providing essential computer services of policies\nestablished to ensure Y2K compliance. Those regulations require that all Federal\ncontractors either provide Y2K compliant technology, or ensure that non-compliant\ntechnology is upgraded to become Y2K compliant in a timely manner.16 During our\ninterviews with FEC staff, we determined that agency computer services contracts may\nnot have been reviewed to ensure that the appropriate Y2K provisions were included.\nEarly in our audit, we provided the agency\xe2\x80\x99s Y2K project team with the recommended\ncontract language developed by the Federal government. As part of our audit fieldwork,\nwe scheduled a comprehensive review of computer technology contracts in order to\ndetermine the level of compliance with applicable Federal regulations. However, upon our\nrequest in March 1999, the FEC was still unable to provide a listing of the contracts with\nthe vendors that supply computer services to the agency. Without being able to identify\n\n16\n  Title 48 of the Code of Federal Regulations (CFR), part 39.106 \xe2\x80\x9cYear 2000 compliance,\xe2\x80\x9d dated August\n7, 1997.\n\n\n                                                  22\n\n\x0cAudit Results                                                   Final Audit Report No. 98-08\n\n\nevery computer services contract, the FEC cannot ensure that each of its vendors has been\nnotified to provide only Y2K compliant technology.\n\nAudit Recommendation No. 9: We recommend that the FEC prepare a listing of all\ncomputer technology contracts, and evaluate those contracts to ensure that the\nappropriate Y2K language has been included to comply with Federal regulations.\n\nManagement\xe2\x80\x99s Comments to Audit Recommendation No. 9: \xe2\x80\x9cData Systems has\nidentified computer contracts to the Contracting Officer. We suggest that you\ncommunicate directly with the Contracting Officer regarding this particular issue. We\nwill notify them (current contractors with contracts through 2001) however specifically of\nthis requirement. In conclusion, current contracts are Y2K compliant.\xe2\x80\x9d\n\nOIG Response to Management\xe2\x80\x99s Comments for Audit Recommendation No. 9:\nManagement suggest that the OIG communicate directly with operational staff in order to\nresolve the audit recommendation. While we believe our recommendations and\nsuggestions would enhance the agency\xe2\x80\x99s Y2K renovation effort, the OIG is constrained by\nFederal law from directing FEC operations. Guidance on the scope of the OIG can be\nobtained from Public Law 95-452, as amended by Title 1 of the Inspector General Act\nAmendments, Public Law 100-504. Furthermore, management\xe2\x80\x99s suggestion raises\nconcerns whether the appointed project officials have the authority to coordinate agency-\nwide Y2K renovation efforts. Centralized planning and direction is crucial for large and\ncomplex agency-wide projects i.e., resolving the FEC\xe2\x80\x99s Y2K problem.\n\n\n                                      Conclusion\n\nClearly, the FEC has much to accomplish in the months ahead in order to prepare its\ncomputer systems for the new millennium. As previously stated, the FEC is reporting all\ninternally developed mission critical software as converted and tested. Feedback from the\nagency\xe2\x80\x99s proposed IV&V contract with an outside vendor should indicate the adequacy of\nthis conversion effort. Yet, successful renovation of in-house developed software is only\npart of the total Y2K project, significant though it may be. The areas addressed within\nthis audit report pose a substantial risk to the agency, if not properly resolved.\nFurthermore, in a letter to management we express additional concerns that the FEC has\nneither developed a comprehensive Y2K plan to support project management, nor has the\nY2K project team documented their efforts converting the in-house developed software\n(see Appendix D). Without immediate resolution, we believe these two conditions will\nonly increase the exposure of the FEC to the Y2K problem.\n\n\n\n\n                                            23\n\n\x0c Appendix A                                                        Final Audit Report No. 98-08\n\n\n\n\n                      Audit Survey of Year 2000 Renovations\n\n               User Acceptance Testing For Critical Computer Systems\n\n\n\nDepartment Name:\n\n\nName of Responding Official:\n(Note: Please Respond No Later Than February 26, 1999)\n\n\nName(s) of the Reported Mission Critical Computer Systems in Your Department:\n(Note: If you are unaware of a mission critical computer system within your area, please\nrespond by indicating such, and return your reply c/o: Dorothy Maddox-Holland, Office of\nInspector General. If you do not know the name of your system, use the name(s) as shown\nin the table presented at the end of this survey)\n\n\n\n\nQuestion No. 1:\n\n(a) Is the reported mission critical computer system(s) in your area of responsibility\nY2K compliant? (Yes or No, or Don\xe2\x80\x99t Know)\n\n\n\n(b) Has the Y2K compliant version been fully implemented (placed into operation)?\n(Yes or No, or Don\xe2\x80\x99t Know)\n\n\nIf Yes to both (a) and (b) for any system, please identify the system(s) as both compliant\nand implemented, and go to Question No. 2.\n\n\n\nIf No or Don\xe2\x80\x99t Know for either (a) or (b) for any system, you don\xe2\x80\x99t need to respond\nfurther for that particular system. Please identify the system(s) and its current status, if\nknown. If you have only one known mission critical system, and answered No or Don\xe2\x80\x99t\nKnow to either (a) or (b), after you identify that system you are finished with the survey.\nPlease return your response c/o: Dorothy Maddox-Holland, Office of Inspector General.\nThank you!\n\n\n\n\n                                              24\n\n\x0c Appendix A                                                      Final Audit Report No. 98-08\n\n\n\n\nQuestion No. 2:\n\nDid your department perform user acceptance testing of Y2K renovations for the\nmission critical computer system(s) in your area of responsibility after\nimplementation? (Yes or No)\n\n\n\nIf your answer to Question #2 is No for a system, identify each system and go to question\nNo. 3.\n\n\n\nIf your answer to Question No. 2 is Yes for a system, please list that system and answer\nthe following three questions before going to Question No. 3:\n\na)\t Were scripts prepared for users to follow to test the system\xe2\x80\x99s Y2K renovations? (Yes\n    or No) If Yes, please provide a copy of the test scripts along with your response to the\n    survey.\n\n\nb)\t Were unexpected test results logged? (Yes or No) If Yes, please provide a copy of\n    the exception report along with your response to the survey.\n\n\nc)\t From the list of four system components below, please indicate each that you tested in\n    conjunction with the mission critical system software:\n\n1)   application software,\n2)   hardware,\n3)   firmware,\n4)   communications network.\n\n\nQuestion No. 3:\n\nDid user department management review and approve the system\xe2\x80\x99s performance\nafter conversion for Y2K renovations? (Yes or No)\n\nPlease identify any system and indicate either Yes or No for that system.\n\n\n\n\n                                            25\n\n\x0cAppendix A                                                          Final Audit Report No. 98-08\n\n\n\n\n             Mission Critical Computer Systems Reported by FEC\n                 Y2K Quarterly Report to OMB, August 1998\n\n System                                                  Program Office\n\n Accounting                                              Administration Division\n Disclosure                                              Data Systems Development\n External Source Programs                                Data Systems Development\n Hardware                                                Data Systems Development\n Imaging Micro Updating                                  Public Disclosure Division\n Information                                             Information Division\n Mailroom                                                Administration Division\n Matching Funds Processing                               Audit Division\n OGC Tracking                                            Office of General Counsel\n Open/Closed Minutes Comm. Sec.                          Secretary of the Commission\n Payroll                                                 Administration Division\n Personnel                                               Administration Division\n Planning & Management                                   Planning and Management\n Press                                                   Press Office\n RAD                                                     Reports Analysis Division\n Teamlinks /Lotus Notes                                  Data Systems Development\n\n\n\n\n                 - - - - - - - - - - - End of Survey - - - - - - - - - - -\n\n\n\n\n                                            26\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   27\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   28\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   29\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   30\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   31\n\n\x0cAppendix B - Management Comments         Final Audit Report No. 98-08\n\n\n\n\n                                   32\n\n\x0cAppendix C - OIG Response                                       Final Audit Report No. 98-08\n\n\n\n        OIG Response to Management\xe2\x80\x99s Comments on Draft Report\n\n         In its response to our draft audit report (see Appendix B), the FEC has expressed\ngeneral concurrence with our audit recommendations. The FEC\xe2\x80\x99s response also presents\nrecent steps that have been taken to address some of the issues raised both by OMB in its\nquarterly reporting, as well as from our audit. However, in management\xe2\x80\x99s response agency\nofficials express the following: \xe2\x80\x9cUnlike larger Agencies, the FEC does not have the\npersonnel resources to perform many of the recommendations outlined in the report.\xe2\x80\x9d We\nwould like to point out that all of the recommendations in the audit report are supported by\npublished OMB directives developed for small Federal agencies. Furthermore, both the\nAdministration and Congress made additional funding available to Federal agencies\nrequesting assistance in fixing Y2K problems. In its 8th Quarterly Report, under the\nsection relating to small and independent agencies, OMB makes the following offer: \xe2\x80\x9cFor\nthose agencies that are behind schedule, OMB will work with senior management to\nensure that they will be ready.\xe2\x80\x9d\n\n\n        Although, the agency\xe2\x80\x99s stated corrective actions taken and planned since the\nissuance of the draft audit report are encouraging, much needs to be accomplished within\nthe allotted time remaining. Of special concern in management\xe2\x80\x99s response is the\nuncertainty surrounding the scheduled late implementation of the Information Technology\ncontract (commonly referred to as the \xe2\x80\x9cADP contract,\xe2\x80\x9d see audit recommendation #3),\nwhich provides computer services for / between the FEC and the central computer facility\nhousing the Disclosure Database. At this time, agency officials only expect Y2K testing on\nthat contract to be accomplished by November 30, 1999. This is much later than\nestablished government-wide milestone dates and presents a significant risk to the FEC.\n\n\n         In regards to management\xe2\x80\x99s comments on contingency planning (refer to audit\nrecommendation #5), it is noted that the FEC has held preliminary discussions regarding\nthis issue and a formal plan is scheduled to be developed; however, recent OMB testimony\nbefore Congress indicates that all Federal agencies are expected to submit business\ncontinuity and contingency plans by June 15, 1999. Therefore, we believe that the FEC\nshould strongly consider the contributions and suggestions offered in Finding Number 1, of\nour Management Letter shown in Appendix D of this report. These suggestions include\nusing an electronic supplied version of a benchmark comprehensive Y2K plan as the\nfoundation for developing an FEC-wide team effort for contingency planning and staff\ninvolvement.\n\n\n\n\n                                            33\n\n\x0cAppendix C - OIG Response                                      Final Audit Report No. 98-08\n\n\n\n\n         In audit recommendations numbers six and nine, management suggests that the\nOIG communicate directly with operational staff in order to resolve the respective audit\nrecommendations. While we believe our recommendations and suggestions would enhance\nthe agency\xe2\x80\x99s Y2K renovation effort, the OIG is constrained by Federal law from directing\nFEC operations. Guidance on the scope of the OIG can be obtained from Public Law 95-\n452, as amended by Title 1 of the Inspector General Act Amendments, Public Law 100-\n504. Furthermore, management\xe2\x80\x99s suggestion raises concerns whether the appointed\nproject officials have the authority to coordinate agency-wide Y2K renovation efforts.\nCentralized planning and direction is crucial for large and complex agency-wide projects\ni.e., resolving the FEC\xe2\x80\x99s Y2K problem.\n\n\n        Addressing the verification efforts for agency renovations (refer to audit\nrecommendation #7), management\xe2\x80\x99s response reiterates \xe2\x80\x9cthe importance of conducting an\nindependent verification and validation of Y2K code compliance.\xe2\x80\x9d Management goes on\nto state: \xe2\x80\x9cIn order to ensure independent verification, validation will be accomplished at\nthe vendor site.\xe2\x80\x9d In our audit, we recommend conducting independent verification and\nvalidation. However, while verification of code at the vendors site provides a degree of\nassurance that due diligence was performed by the agency in repairing programming code;\nit should also be pointed out that the vendor usually will not attest to the level of\ncompliance. Consequently, the method recommended by both OMB and the GAO to\nensure code compliance, as well as the reliability of other Y2K renovations including\ncomputer hardware and communication software, is through end-to-end testing of each\nsystem.\n\n\n       With the limited time remaining, and considering the amount of effort and\ncoordination necessary to complete Y2K renovations at the FEC, there is a moderate\ndegree of risk that the agency may not be ready on time.\n\n\n\n\n                                            34\n\n\x0cAppendix D - Management Letter         Final Audit Report No. 98-08\n\n\n\n\n                                 35\n\n\x0cAppendix D - Management Letter         Final Audit Report No. 98-08\n\n\n\n\n                                 36\n\n\x0cAppendix D - Management Letter         Final Audit Report No. 98-08\n\n\n\n\n                                 37\n\n\x0c                           Distribution List\n\n\n\n\nPrimary Action Officials                                No. of Copies\n\n     Richard L. Hooper, Director, DSDD \n \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6. 4\n     Year 2000 Project Manager\n\n     Federal Election Commission\n\n     999 E Street, N.W.\n\n     Room 833\n\n     Washington, DC 20463\n\n\n     James A. Pehrkon \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 \n2\n     Staff Director\n\n     Federal Election Commission\n\n     999 E Street, N.W.\n\n     Room 933\n\n     Washington, DC 20463\n\n\n\nOther FEC Offices\n\n     The Commissioners \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6              6\n\n\n     Office of General Counsel \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..       1\n\n\n     Congressional Affairs Office \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..     1\n\n\n\n\n                                  38\n\n\x0c'